Use of Fake Code Signing Certificates in Malware Surges

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

Fake code signing certificates are used as a layered obfuscation technique in malware distribution campaigns, but these aren’t always stolen from legitimate owners, but rather issued upon request. The certificates are created for the specific buyer and registered using stolen corporate credentials, thus rendering traditional network defenses less effective, Recorded Future says.

Counterfeit certificates have been around for over half a decade, but the first offerings for such certificates were observed on the Dark Web only several years ago.

In March 2015, a user known as [email protected] offered on a prolific hacking messaging board a Microsoft Authenticode that could sign 32-bit/64-bit executable files, along with Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and Silverlight 4 applications. Furthermore, Apple code signing certificates were also available, Recorded Future's researchers say.

The advertiser claimed the certificates were issued by Comodo, Thawte, and Symantec and registered under legitimate corporations. The seller also said each certificate was unique and would only be assigned to a single buyer. The seller suggested the certificates would increase the success rate of malware installations 30% to 50% and claimed to have sold over 60 certificates in less than six months.

What prevented [email protected]’s offer to appeal to a large client base was the prohibitive cost of certificates, which can surpass $1,000 per certificate in some instances.

Several years later, three new actors started offering such services, primarily in the Eastern European underground, and two remain active, providing counterfeit certificates to Russian-speaking individuals.

One of the actors specializes in Class 3 certificates (they do not include Extended Validation (EV) assurance) and offers them at $600. The other seller has a broad range of products in the offering, the researchers discovered.

“According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities,” Recorded Future notes.

All certificates are created per the buyer’s request, individually, and have an average delivery time of two to four days.

A trial one of the vendors conducted revealed that detection rate of the payload executable of a previously unreported Remote Access Trojan (RAT) decreased upon signing with a recently issued Comodo certificate. Testing a non-resident version of the payload revealed that only one security product recognized the file as malicious.

“Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates,” the security researchers note.

The counterfeit certificates might have experienced a surge, but they are not expected to become mainstream because of their prohibitive cost when compared to crypting services that are readily available at $10-$30 per each encryption. Nonetheless, more sophisticated attackers and nation-state actors will continue employing code signing and SSL certificates in their operations.